See: - Bernát Gábor’s excellent guide on [Python supply chain security](https://bernat.tech/posts/securing-python-supply-chain/). - https://trailofbits.github.io/are-we-pep740-yet/ Ideas: - [ ] Use the `exclude-newer = "1 week"` for `[[tool.uv]]` in `pyproject.toml` . Needs https://github.com/astral-sh/uv/issues/18914 Tools: - https://github.com/nsoranzo/check-pypi-metadata to check which packages don't implement Trusted Publishing yet. Trusted publishing issues in our dependencies: - [ ] annotated-types https://github.com/annotated-types/annotated-types/issues/95 - [x] anthropic https://github.com/anthropics/anthropic-sdk-python/issues/1568 - [ ] boto3 https://github.com/boto/boto3/issues/4427 - [ ] botocore https://github.com/boto/botocore/issues/3379 - [x] cloudbridge https://github.com/CloudVE/cloudbridge/issues/329 - [ ] contourpy https://github.com/contourpy/contourpy/issues/482 - [ ] cwl-upgrader https://github.com/common-workflow-language/cwl-upgrader/issues/211 - [ ] cwltest https://github.com/common-workflow-language/cwltest/issues/289 - [ ] cwltool https://github.com/common-workflow-language/cwltool/issues/2270 - [x] cyclopts https://github.com/BrianPugh/cyclopts/issues/811 - [ ] fsspec https://github.com/fsspec/filesystem_spec/issues/1866 - [x] gravity https://github.com/galaxyproject/gravity/pull/151 - [ ] gunicorn https://github.com/benoitc/gunicorn/issues/3409 (closed as wontfix) - [x] huggingface-hub https://github.com/huggingface/huggingface_hub/issues/4236 - [x] isort https://github.com/PyCQA/isort/issues/2500 - [ ] jaraco-functools https://github.com/jaraco/jaraco.functools/issues/37 - [ ] markdown https://github.com/Python-Markdown/markdown/issues/1560 - [x] markdown-it-py https://github.com/executablebooks/markdown-it-py/pull/397 - [x] mdit-py-plugins https://github.com/executablebooks/mdit-py-plugins/issues/141 - [x] mistralai https://github.com/mistralai/client-python/pull/529 - [ ] mypy https://github.com/python/mypy/issues/19174 - [x] myst-parser https://github.com/executablebooks/MyST-Parser/issues/1139 - [ ] openai https://github.com/openai/openai-python/issues/3273 - [ ] paramiko https://github.com/paramiko/paramiko/issues/2625 - [ ] pyasn1 https://github.com/pyasn1/pyasn1/issues/99 - [ ] pyasn1-modules https://github.com/pyasn1/pyasn1-modules/issues/28 - [ ] pyreadline3 https://github.com/pyreadline3/pyreadline3/issues/46 - [ ] python-dateutil https://github.com/dateutil/dateutil/issues/1298 - [ ] redis https://github.com/redis/redis-py/issues/4008 - [ ] regex https://github.com/mrabarnett/mrab-regex/issues/587 - [ ] s3fs https://github.com/fsspec/s3fs/issues/1017 - [x] scipy https://github.com/scipy/scipy/issues/23839 - [ ] setuptools https://github.com/pypa/setuptools/issues/5231 - [ ] sqlalchemy https://github.com/sqlalchemy/sqlalchemy/discussions/13324 - [ ] temporalio https://github.com/temporalio/sdk-python/issues/1546 - [ ] tiktoken https://github.com/openai/tiktoken/issues/547 - [ ] tomli https://github.com/hukkin/tomli/issues/291 - [ ] tuspyserver https://github.com/edihasaj/tuspyserver/issues/84 - [ ] uvloop https://github.com/MagicStack/uvloop/issues/741 - [ ] watchdog https://github.com/gorakhargosh/watchdog/issues/1166 Other issues: - [ ] https://github.com/astral-sh/uv/issues/15618
See:
Ideas:
exclude-newer = "1 week"for[[tool.uv]]inpyproject.toml. Needs Only applyexclude-newerunder dependency version constraints astral-sh/uv#18914Tools:
Trusted publishing issues in our dependencies:
Other issues: